CyberWire Daily - VPN compromise causes concerns.
Episode Date: January 31, 2024Global Affairs Canada investigates a major data breach. New York sues Citibank over inadequate online security. Alpha ransomware launches a dedicated leak site on the dark web. A leaked database with ...50 million records may or may not be real. CISA and the FBI provide guidance for SOHO routers.Patch ‘em if ya got ‘em. Krustyloader exploits Ivanti weaknesses. Unit 42 tracks a large-scale scareware campaign. Alex Stamos calls Microsoft’s security strategies “morally indefensible.” Our guests are Gianna Whitver and Maria Velasquez from the Cybersecurity Marketing Society to talk about their new podcast "Breaking Through in Cybersecurity Marketing." And do you have what it takes to protect his majesty’s royal laptop? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guests Gianna Whitver and Maria Velasquez from the Cybersecurity Marketing Society join Dave to share about their podcast "Breaking Through in Cybersecurity Marketing" that is joining the N2K network. You can listen to their newest episode on our network. Selected Reading Global Affairs investigating 'malicious' hack after VPN compromised for over one month (National Post) Lawsuit: Citibank refused to reimburse scam victims who lost “life savings” (Ars Technica) Unveiling Alpha Ransomware: A Deep Dive into Its Operations (Netenrich) Nearly 50 million Europcar customer records put up for sale on the dark web – or were they? (ITPro) Apple and Google Just Patched Their First Zero-Day Flaws of the Year (WIRED) Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware (Security Affairs) ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery Campaign (Palo Alto Networks) Microsoft's Dangerous Addiction To Security Revenue (LinkedIn) Be the Royal Family’s Cybersecurity Manager, and get a cut-price honey dipper! (Graham Cluley) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Global Affairs Canada investigates a major data breach.
New York sues Citibank over inadequate online security.
Alpha Ransomware launches a dedicated leak site on the dark web.
A leaked database with 50 million records may or may not be real.
CISA and the FBI provide guidance for Soho routers.
Hatch them if you got them.
Krusty Loader exploits Ivanti weaknesses.
Unit 42 tracks a large-scale scareware campaign.
Alex Stamos calls Microsoft security strategies morally indefensible.
Our guests are Gianna Whitver and Maria Velasquez from the Cybersecurity Marketing Society.
Talk about their new podcast, Breaking Through in Cybersecurity Marketing.
And do you have what it takes to protect His Majesty's Royal Laptop?
It's Wednesday, January 31st, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Welcome back, and thank you for joining us here today.
Thank you for joining us here today.
Global Affairs Canada is investigating a major data breach caused by the compromise of one of its virtual private networks affecting employee data and email. The breach began around December 20th, 2023, and was only discovered on January 24th, just about a week ago.
Hackers accessed emails and files on both personal and shared drives of employees who used Cignet laptops to connect remotely to GAC servers during this period.
The department publicly acknowledged the breach following inquiries from the National Post
confirming it as a result of malicious cyber activity.
The exact scale and timeline of the breach are still under investigation.
In response, Global Affairs Canada disabled the compromised VPN and asked employees to reset
passwords and encryption keys. Critical services and external communication channels remain
operational. The breach was reported to the Federal Privacy Commissioner as required for
significant personal information breaches.
This incident marks the second major cyber attack on GAC in two years, with the previous one in
early 2022 suspected to be a Russia-backed cyber threat, although not officially confirmed by the
government. New York Attorney General Letitia James has filed a lawsuit against Citibank,
accusing the bank of failing to reimburse scam victims and employing inadequate online security measures.
The lawsuit alleges that Citi's weak protections have led to unauthorized account takeovers
and that the bank had misled customers about their rights following hacks and thefts.
Victims, including those who lost life savings and college funds,
were denied reimbursement despite Citi's insufficient data security
and ineffective response to fraud alerts, according to the Attorney General.
The case cites instances where large wire transfers by scammers
were approved without direct contact with customers.
In one case, a woman lost $35,000
and in another, a customer lost $40,000 due to unauthorized wire transfers. Citi defends its
practices, stating that banks are not obligated to refund clients who follow criminals' instructions,
but they acknowledge an increase in wire fraud. The lawsuit argues that under the
Electronic Fund Transfer Act, Citi is required to reimburse unauthorized debits and seeks a
permanent injunction, an accounting of customer losses, restitution, damages, and civil penalties.
Citibank claims to have implemented leading security protocols and fraud prevention tools reducing
client wire fraud losses. Security firm Netenrich notes that Alpha Ransomware, a new group distinct
from AlfV Ransomware, has recently launched its dedicated data leak site on the dark web,
listing data from six victims. The group has been active since May 2023.
As of now, alpha ransomware isn't prevalent,
with low infection rates and no active sample available for analysis.
The group's ransom demands lack consistency,
suggesting they are skilled yet amateurish in the ransomware arena.
More victims are expected as alpha ransomware gains visibility and leaves
more digital footprints. Continued monitoring is crucial for understanding and countering
this emerging threat. A database purportedly containing 50 million records from Europecar
was offered for sale on a hacking forum, raising concerns about a major data breach.
However, Europecar has declared the database fake,
noting discrepancies and inconsistencies in the data.
According to Europcar, the sample data, including email addresses,
did not match their records.
They suggested the data might have been generated using AI,
pointing out anomalies like non-existent addresses and mismatched zip codes.
Security researcher Hussein Khan-Yukil from Pycus Security suggested the incident was more of a
social engineering attack than an actual data breach, possibly using AI-generated fake data
to pressure Europcar into paying a ransom. While the authenticity of the data remains unverified, the incident has
raised questions about AI's role in cyber attacks and the need for businesses to adjust their
incident response strategies accordingly. Troy Hunt, founder of Have I Been Pwned, cautioned
against concluding that AI was used, noting that many email addresses in the database were from previous breaches.
Today, CISA and the FBI released guidance for small office home office,
that's Soho Device Manufacturers, as part of the Secure by Design Alert series.
This guidance aims to shift the security burden away from customers by incorporating security into product design and development.
The focus is on preventing
the China-sponsored Volt Typhoon Group from compromising Soho routers. Additionally,
manufacturers are encouraged to disclose vulnerabilities through the Common Vulnerabilities
and Exposures Program and provide accurate common weakness enumeration classifications.
The alert also emphasizes the importance of
incentive structures that prioritize security in product design and development.
We are not quite a month into 2024, and major tech companies have been busy addressing critical
security vulnerabilities. Apple rolled out iOS 17.3, addressing an exploited WebKit flaw and introducing stolen device protection.
Meanwhile, Google patched several Android system vulnerabilities and addressed an actively
exploited Chrome bug. Microsoft's January patch Tuesday targeted around 50 vulnerabilities,
including critical flaws in Office and Windows Kerberos. Mozilla Firefox fixed 15 issues with five rated high severity.
In the enterprise domain, Cisco and SAP released fixes for significant vulnerabilities,
including a high-risk Cisco bug allowing remote code execution.
Software firm Ivanti recently identified that hackers were exploiting two zero-day vulnerabilities
in its ConnectSecure and PolicySecure software. These vulnerabilities allowed remote command
execution on targeted gateways. Researchers from cybersecurity firm Synactive say that threat
actors are actively exploiting these vulnerabilities globally, targeting a wide range of industries
including government,
military, telecommunications, technology, finance, and aerospace. The attacks have resulted in the deployment of cryptocurrency miners and rust-based malware, notably Krusty Loader, which downloads a
Golang-based Sliver backdoor. Sliver, which is gaining popularity among hackers, provides advanced control capabilities.
Avanti is working on patches, and cybersecurity researchers have released detection tools and
rules for the Krusty Loader. So I'm a thief, am I? Well, excuse me!
Researchers from Palo Alto's Unit 42 uncovered a large-scale campaign named Apeitweb,
involving over 130,000 domains used to distribute scareware,
potentially unwanted programs, hups, and scam pages.
This campaign, active since 2022,
employs deceptive emails and JavaScript on websites to redirect
users to harmful content. Apeitweb's sophisticated infrastructure utilizes multiple redirections
and is controlled by a central group employing tactics like cloaking and wildcard DNS abuse to
evade detection. The campaign has significant reach, impacting users globally with millions of monthly hits from the U.S., Europe, and Asia.
In November of last year alone, about 3.5 million sessions were blocked across nearly 75,000 devices.
An editorial from Alex Stamos, chief trust officer at SentinelOne and former Facebook CSO,
chief trust officer at Sentinel-1 and former Facebook CSO,
discusses Microsoft's handling of their recent security breach,
known as Midnight Blizzard, conducted by Russian intelligence services.
Stamos criticizes Microsoft for downplaying the breach's severity,
which involved exploiting vulnerabilities in Azure Active Directory and Microsoft 365,
affecting multiple companies.
He highlights the complexity of Azure AD and its vulnerability to hybrid deployment attacks.
The editorial also accuses Microsoft of using the breach to upsell their security products,
like Microsoft Entra ID protection and Purview audit, calling it morally indefensible.
Stamos argues that Microsoft's approach to security,
treating it as a separate profit center,
undermines the safety of their products and advocates for secure-by-default products
with all necessary security features included.
Stamos argues that Microsoft's approach to security,
treating it as a separate profit center,
undermines the safety of their products.
He advocates for secure-by-default products
with all necessary security features included.
He urges Microsoft to reassess its approach to cybersecurity.
We note that Microsoft is a CyberWire partner.
Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. the new podcast breaking through in cyber security marketing is the latest to join the cyber wire
podcast network joining me today are the hosts of that show gianna whitford and maria velasquez
they are from the cyber security marketing society here's our conversation. Gianna and Maria, welcome to our show. I have to start out by saying how excited we all are here
at N2K and the CyberWire that you all are joining our CyberWire network with your podcast. For folks
who aren't familiar with the show, can you give us a little brief description of what it is all
about and what is your mission here? Gianna, you want to kick things off for us?
Sure. Breaking Through in Cybersecurity Marketing is a podcast to share the stories,
successes, and failures of marketers working in this topsy-turvy,
constantly changing, highly technical industry of cybersecurity.
Maria, you are co-host of the show here.
How is it formatted?
What are the conversations like?
Well, it's really a lot of storytelling.
We invite the most interesting marketers
within our industry,
and we go into it with as much detail as possible
about their winning strategies,
the campaigns they're most proud of.
We do a little bit of therapy sometimes
about marketers dealing with the sales team.
And it ends up being really a bunch of marketers together,
peers just chatting and having a really nice
and authentic conversation about our challenges,
our wants and needs,
and our aspirations for our careers as well.
Can we go to a little bit of a higher level here and get a little information about the
Cybersecurity Marketing Society itself? What is the mission of the organization?
The cybersecurity marketing exists so that any marketer in the cybersecurity industry can have an amazing career.
We provide resources, education, and networking and community for marketers in the industry.
When you are part of the Cybersecurity Marketing Society, you're going to level up your game.
You're going to become a better marketer.
And you're also going to make lifelong professional connections that will help you in your career.
And hopefully you will give back as well. Maria, I'm curious, what are some of the specific challenges that marketers face in the cybersecurity world? Oh, gosh. Well, I think the biggest one really is breaking that
wall and barrier between us and the cybersecurity practitioner community. To this day, there hasn't been really a form where we can come together and really just
level set what each side needs and what we all can do better.
Because at the end of the day, we're all sort of going after one goal, one massive
dream against the threats and the cyber criminals out there. And so we're very excited that we are
starting to do that and starting to build the avenue and the vehicle for conversation back and
forth. Marketers are part of the ecosystem of cybersecurity, and we want to be doing a great job
of connecting with security individuals, Not annoying, not bothering.
We want to help make the world a better place too.
And we want to do it all together.
So we're excited that we're helping move the industry forward
in the cybersecurity marketing society.
And we're starting with the buzzwords.
What sort of buzzwords do you mean?
I don't know. A lot of annoying ones that we get feedback on. Like, what sort of buzzwords do you mean? I don't know.
A lot of annoying ones that we get feedback on.
Ah, okay.
Fair enough.
Fair enough.
Believe me, as a person who has to say those buzzwords on a daily basis as part of my job,
I am on board with your mission to demystify the buzzwords.
I'm curious, you know, I think there are a lot of great things about cybersecurity,
but I think a valid criticism is that there can be a lot of gatekeeping. And particularly when
you talk about, you know, folks who may not have some of the high level technical skills that some
of the, you know, the elite practitioners have. But, you know, you all mentioned earlier in our
conversation that we need everybody. In order
to complete this mission, we need people with all sorts of different skills. And it strikes me that
that's something that the Cybersecurity Marketing Society is approaching head on.
We absolutely are. And it's interesting you say, you know, gatekeeping. It's tough to break in also to marketing in the cybersecurity industry.
It's not easy. A lot of companies want you to have an existing cybersecurity marketing experience
too. So, you know, it's not exactly the same, but similar to security professionals.
If you're a marketer and you are trying to go work at a security company, I mean, you better
have already worked at a security company because I mean, you better have already worked
at a security company
because people are also looking
for that very specialized knowledge and skillset
on the business side of the house as well.
We are working every day
and we have exciting launches upcoming this year
to help more marketers break into the industry,
to hone their skills
and to help make cybersecurity marketing a more accessible career for those who
want to join it. Maria? Yeah, I mean, we didn't have this when we started in cybersecurity
marketing. And so what a privilege to be able to provide as many resources and mentors as possible for those newcomers within the industry.
It is very unique within the tech, right, overall industry. And so this community and this set of
resources and mentors that we've been able to gather under one roof should really, just like
Gianna said, move the industry forward,
especially on the vendor side.
You know, actually, how I got into cybersecurity marketing was by accident.
But Maria, and the reason me and Maria know each other is because she helped me
with no expectation in return, by the way.
I was new to the industry and I was like, what is RSA?
Events?
Like, what's a black hat, right?
I was working at a threat intelligence company. It was just completely like... I had worked in tech
before too, right? But I was just completely underwater with all these terms and the people
we were trying to market to and the people we were trying to connect to. It was like a whole
new world and a completely new world with completely new everything. And Maria, we had met
and she helped me cross that bridge to having knowledge and expertise in the industry by sharing
and being helpful and just being a wonderful peer mentor. And that's what we've built in our
community as well in the Cybersecurity Marketing Society. That's the foundation of the community.
We didn't have this when Maria and I were starting out.
I just had her and Maria.
I don't know who you had.
But now we have a place for, along with experienced people, CMOs, the highest levels of marketing.
We have a place for mid-level and junior marketers as well to learn and grow and be
successful. You mentioned at the outset that you're going to be talking about the successes,
but the failures as well. And I remember my colleague, Bennett Moe, who helps lead our
sales team here at the CyberWire and N2K, coming back from one of your events was saying what a
great experience it was because so many people were willing to share and there was an environment of openness.
I'm really interested that you're bringing that to the podcast as well, that it's not all just sunshine, that people are going to share their challenges as well.
Absolutely. Yeah. I mean, a lot of the speakers at the conference had handouts. They had templates
that attendees can, you know, take away and apply today in their job from product launches to
demand gen to advertising, every possible channel you can think of in marketing. We had best
practices for and resources for and subject matter experts that you can go to. So yeah,
that was really wonderful to see. And, you know, failures are fun in retrospect.
Failures are fun. Everyone loves to hear a good, that didn't work story. And as marketers and in
our community, this culture we've built is we want to help others succeed and helping others succeed.
our community, this culture we've built is we want to help others succeed and helping others succeed.
It, you know, a part of it is saying this didn't work for me. It might not work for you. I spent X amount and I got zero in return, or I did this and it spectacularly failed. And it also creates
this feeling of acceptance too, because in this industry, it's so constantly fast paced that
you're going to fail. You're going to fail at some point as a marketer, as in this industry, it's so constantly fast-paced that you're going to fail. You're going
to fail at some point as a marketer, as a security professional, as anyone. You are going to fail,
screw up, do something that doesn't pan out. And hey, that's okay. We all live and we move on with
our lives and careers. All right. Well, the name of the podcast is Breaking Through in Cybersecurity
Marketing. Gianna and Maria, thank you so much for joining us.
For our listeners, when can they expect to hear the show?
Every Wednesday at 3 a.m. Eastern,
if they want to be up that early.
Okay, for those who just can't wait,
it is the newest show on our CyberWire network,
and we are excited to have you both join us.
Thanks so much.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
With TD Direct Investing,
new and existing clients could get 1% cash back.
Great, that's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And finally, Graham Cluley points out that the UK's royal household is seeking a cybersecurity manager to protect King Charles, his family, and the staff from Digital Threats. Based in Buckingham Palace, the role entails leading the cyber risk management strategy and the cybersecurity framework in alignment with
best practices. Responsibilities include managing an in-house team, fostering a secure by design
culture in collaboration with the enterprise architecture team, and liaising with external experts like the National Cybersecurity Center.
As a subject matter expert,
the manager will also promote cybersecurity awareness
and ensure compliance.
Despite the high-profile nature of the job,
the starting salary is £75,000
for a 37-and-a-half-hour workweek,
which is modest considering London's cost of living.
Perks include discounts at Royal Collection trust shops
and free admission tickets,
although these might not compensate
for the demanding nature of the job
and relatively low pay.
One can only imagine
what His Majesty's royal browser history contains.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us
at cyberwire at n2k.com. We're privileged that N2K
and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most
influential leaders and operators in the public and private sector, as well as the critical
security teams supporting the Fortune 500 and many of the world's preeminent intelligence and
law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer
is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer
Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.